Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits and malware

Security researchers from Webroot have intercepted a currently spamvertised malicious campaign, impersonating Hewlett Packard, and enticing end and corporate users into downloading and viewing a malicious .htm attachment.

More details:

Subject: Re: Scan from a Hewlett-Packard ScanJet [random number]Message:Attached document was scanned and sent to you using a Hewlett-Packard NetJet 730918SL. SENT BY : ANISSA PAGES : 5 FILETYPE: .HTM [Internet Explorer File]Original attachment:HP_Jet_26_P2184.zipMalicious iFrame embedded within the .htm attachment:hxxp://superproomgh.ru:8080/navigator/jueoaritjuir.php

The client-side exploits serving domain superproomgh.ru is currenly fast-fluxed, namely it’s responding to multiple, dynamically changing IP addresses in an attempt by the cybercriminals behind the campaingn, to make it harder for vendors and researchers to take it down.

The campaign is attempting to exploit the “Libtiff integer overflow in Adobe Reader and Acrobat” vulnerability, also known as CVE-2010-0188 in an attempt to drop the following MD5 on the exploited hosts – MD5:20de62566248864be3b0e413b332d731 currently detected as Win32:Sirefef-RV [Drp], Trojan.Generic.KDV.582649, HEUR:Trojan.Win32.Generic, or PWS-Zbot.gen.hv.

Webroot security researchers will continue monitoring this campaign to ensure that Webroot SecureAnywhere customers are protected from this threat.